Subscribe to our Threatpost Today newsletter

Join thousands of people who receive the latest breaking cybersecurity news every day.

The administrator of your personal data will be Threatpost, Inc., 500 Unicorn Park, Woburn, MA 01801. Detailed information on the processing of personal data can be found in the privacy policy. In addition, you will find them in the message confirming the subscription to the newsletter.

*

*

I agree to my personal data being stored and used to receive the newsletter

*

I agree to accept information and occasional commercial offers from Threatpost partners

The administrator of your personal data will be Threatpost, Inc., 500 Unicorn Park, Woburn, MA 01801. Detailed information on the processing of personal data can be found in the privacy policy. In addition, you will find them in the message confirming the subscription to the newsletter.

Critical Bug Impacts Live555 Media Streaming Libraries

A critical streaming bug impacts Live Networks LIVE555 RTSPServer, but not the popular VLC and MPLayer client-side software.

A critical remote code-execution bug has been found in the popular Live Networks LIVE555’s streaming media RTSPServer. The vulnerability could allow an attacker to send a specially crafted packet to vulnerable systems and trigger a stack-based buffer overflow, according to researchers at Cisco Talos.

Initial concern over the bug (CVE-2018-4013) had client-side users of the popular VLC open-source media player and the MPLayer video player scrambling to update their software. However, as Cisco Talos pointed out, the impacted LIVE555 Media libraries only affects streaming server software, not the players that use it.

LIVE555 is a set of C++ libraries used in streaming media server software created by Live Networks that support streaming over protocols RTP/RTCP, Real Time Streaming Protocol (RTSP) and SIP. The underlying technology is used sometimes within the client-side versions of players.

However, while Vanja Svajcer, a researcher at the Cisco Talos Intelligence Group, explained in a blog post that the LIVE555 Media Libraries “are utilized by popular media players such as VLC and MPlayer, as well as a multitude of embedded devices (mainly cameras),” the client-side use of LIVE555 libraries are not vulnerable to attack.

In an effort to allay concerns about the bug’s impact, Live Networks publicly stated that the vulnerability “does not affect VLC or MPlayer, because they use LIVE555 only to implement an RTSP. The bug affected only our implementation of a RTSP, which these media players don’t use. (VLC does have an embedded RTSP server, but that uses a separate implementation, not LIVE555’s).”

Svajcer wrote that the vulnerability exists in one of the functionalities enabled by LIVE555 for its standard RTSP server: The ability to tunnel RTSP over HTTP.

“[This function] is served by a different port bound by the server, typically TCP 80, 8000 or 8080, depending on what ports are available on the host machine,” he explained. “This port can support normal RTSP, but in certain cases, the HTTP client can negotiate the RTSP-over-HTTP tunnel.”

He said the flaw arises in the function that parses HTTP headers for tunneling RTSP over HTTP: “An attacker may create a packet containing multiple ‘Accept:’ or ‘x-sessioncookie’ strings which could cause a stack buffer overflow in the function ‘lookForHeader,'” he said.

More specifically, the bug is contained in the Live Networks LIVE555 Media Server (version 0.92) and “may also be present in the earlier version of the product,” according to Cisco Talos.

There are two memory corruption vulnerabilities in some versions of the VLC open-source media player that can allow an attacker to run arbitrary code on vulnerable machines. Neither one of the vulnerabilities has been fixed by VideoLAN, the organization that maintains VLC. Security researcher Veysel Hatas reported the vulnerabilities to VideoLAN in December and published the […]

Authors

Threatpost

InfoSec Insider Post

InfoSec Insider content is written by a trusted community of Threatpost cybersecurity subject matter experts. Each contribution has a goal of bringing a unique voice to important cybersecurity topics. Content strives to be of the highest quality, objective and non-commercial.

Sponsored

Sponsored Post

Sponsored Content is paid for by an advertiser. Sponsored content is written and edited by members of our sponsor community. This content creates an opportunity for a sponsor to provide insight and commentary from their point-of-view directly to the Threatpost audience. The Threatpost editorial team does not participate in the writing or editing of Sponsored Content.